Wednesday, June 08, 2011
Setting up IPv6 Tunnel with Hurricane Electric (Tunnelbroker.net)
Since today's World IPv6 Day, i've taken the opportunity to create a brief how-to on setting up an IPv6 Tunnel with Hurricane Electric's Tunnelbroker service.
1) Go to http://tunnelbroker.net 2) Register/Login 3) Create Regular Tunnel -> IPV4 Endpoint (Your Side) Enter Public IP Address, example: 9.33.21.35 Selection a tunnel endpoint that's closest to you example: Los Angeles, CA, US If you have a firewall allow ICMP packets from source IP: 66.220.2.74 with, # iptables -A INPUT -p icmp -s 66.220.2.74 -j ACCEPT On the Main Page, under the tunnel you just created you get following information: Server IPv4 Address: 74.82.46.6 Server IPv6 Address: 2001:1337:24:3ac::1/64 Client IPv4 Address: 9.33.21.35 Client IPV6 Address: 2001:1337:24:3ac::2/64 Routed /64: 2001:db8:12:413::/64 Configure your firewall to allow traffic from 74.82.46.6 endpoint. # iptables -A INPUT -p ip -s 74.82.46.6 -j ACCEPT This is sufficient information to create an IPv6 Tunnel. Setting up IPv6 Tunnel on Debian/Ubuntu: ---------------------------------------- This below is a Debian/Ubuntu specific guide. It may or maynot work on other Linux flavors. 1) Edit /etc/network/interfaces file (# vim /etc/network/interfaces) ## Add these lines below to setup a tunnel to your endpoint from information gathered above auto mytunnel0 iface mytunnel0 inet6 v4tunnel address 2001:1337:24:3ac::2 netmask 64 endpoint 74.82.46.6 up ip -6 route add default dev mytunnel0 down ip -6 route del default dev mytunnel0 # This is network configuration for your default network interfaces. Leave it the way it is. auto eth0 iface eth0 inet dhcp # Add these lines to assign a static ipv6 address to your network interface from your very own routed /64 subnet. iface eth0 inet6 static address 2001:db8:12:413::1 netmask 64 ############EOF################ That's it. if you want to load it without rebooting the server: # ifup mytunnel0 # ifdown eth0 && ifup eth0 or, reboot # reboot Setting up IPv6 Tunnel on FreeBSD/PC-BSD ----------------------------------------- Using /etc/rc.conf: ============ ## Edit /etc/rc.conf and add these lines according to the tunnel information above: ipv6_enable="YES" ipv6_gateway_enable="YES" ipv6_network_interfaces="lo0 gif0" ipv6_ipv4mapping="YES" gif_interfaces="gif0" gifconfig_gif0="9.33.21.35 74.82.46.6" ipv6_ifconfig_gif0="2001:1337:24:3ac::2 2001:1337:24:3ac::1 prefixlen 128" ipv6_defaultrouter="2001:1337:24:3ac::1" # Assuming your default network interface is re0, add this line to assign an address from /64 subnet allocated to you. ifconfig_fxp0_alias0="inet6 2001:db8:12:413::1 prefixlen 64" Using script: ============ #!/usr/local/bin/bash # Script: /root/ipv6_tunnel.sh ifconfig gif0 create ifconfig gif0 tunnel 9.33.21.35 74.82.46.6 ifconfig gif0 inet6 2001:1337:24:3ac::2 2001:1337:24:3ac::1 prefixlen 128 route -n add -inet6 default 2001:470:1f04:1cf4::1 ifconfig gif0 up ifconfig re0 inet6 2001:db8:12:413::1 prefixlen 64 alias If you are planning to bind your services/applications on both IPv4 and IPv6 sockets, it's necessary to tune in some sysctl values. On GNU/Linux: ------------- # sysctl -w net.ipv6.bindv6only=0 # echo net.ipv6.bindv6only=0 >> /etc/sysctl.conf On FreeBSD/PC-BSD: ------------------ # sysctl -w net.inet6.ip6.v6only=0 # echo net.inet6.ip6.v6only=0 >> /etc/sysctl.conf Testing IPv6 Connectivity: -------------------------- $ ping6 ipv6.google.com
Friday, June 03, 2011
Bash script to upload screenshot to imgur.com
#!/bin/sh if [ ! -f imgurbash.sh ]; then wget http://imgur.com/tools/imgurbash.sh fi result=$(uname -a | grep -i -c bsd) if [ $result -gt 0 ]; then $(sed 's/sed -r/sed -E/g' imgurbash.sh > /tmp/imgurbash.tmp; mv /tmp/imgurbash.tmp imgurbash.sh) fi filename="screenshot-$(date +%s).png" import -window root $filename bash imgurbash.sh $filename
FreeBSD Jail + IPFW + NAT
Running a NATed jail under FreeBSD is quite helpful when you don't have a public internet routable ip address avilable except that of host's. With the combination of ipfw and nat it is possibe to share the same address space and ports as the host and forward certain ports to jail services.
BSDGurls' has written a handy ezjail guide available at http://bsdgurl.net/text/ezjail-guide.txt. With her permission, I'm adopting the first part of this tutorial from the same.
Setting Up Ezjail:
Install sources: # sysinstall Select all sources from Configure -> Distributions -> src and install them Buildworld: # cd /usr/src # make buildworld Compile ezjail port: # cd /usr/ports/sysutils/ezjail && make install clean Prepare Base System: # ezjail-admin update -p -i Create Your Jail (Replace mydomain.org and ip address) # ezjail-admin create -r /usr/jails/mydomain.org mydomain.org 1.2.3.4 Add alias IP to interface (example: em0) and turn on ezjail service: # echo 'ifconfig_em0_alias0="inet 1.2.3.4 netmask 255.255.255.255"' >> /etc/rc.conf # echo 'jail_socket_unixiproute_only="NO"' >> /etc/rc.conf # echo 'ezjail_enable="YES"' >> /etc/rc.conf Configure syslogd to listen on both host and jail # echo 'syslogd_flags="-ss"' >> /etc/rc.conf Copy resolv.conf from host to jail: # cp /etc/resolv.conf /usr/jails/mydomain.org/etc/ Start Jail: # /usr/local/etc/rc.d/ezjail.sh start Some Userful Jail commands: jls => list jails jexec 1 /bin/sh => connects to jail console /usr/local/etc/rc.d/ezjail.sh restart => restarts all jails ezjail-admin delete -w mydomain.org => deletes mydomain.org jail Okay now that's done, we will setup ipfw and nat. We will now create a basic IPFW rules file. For Advanced example, take a look at BSDGurl's IPFW Guide Page: http://bsdgurl.net/text/ipfw-guide.txt # ee /usr/local/etc/myfirewall.rules Example Contents of file /usr/local/etc/myfirewall.rules -----------------START------------- # Example Interface: em0 # List of Ports: # Host SSH: 4567 # HOST WEBERVER: 8080,4443 # JAIL SSH: 7890 # JAIL WEB SERVER: 80, 443 # JAIL DNS SERVER: 53 IPF="ipfw -q add" ipfw -q -f flush # Replace with your interface PIF="em0" # Host IP inet="172.16.83.84" # Jail IP jail="1.2.3.4" $IPF 10 allow all from any to any via lo0 $IPF 15 allow all from any to 127.0.0.0/8 $IPF 20 deny all from any to 127.0.0.0/8 $IPF 25 deny all from 127.0.0.0/8 to any $IPF 40 deny tcp from any to any frag $IPF 41 allow tcp from any to me 4567 established # Allow out NATed traffic from Jail. This is DNATed traffic. $IPF 45 divert natd ip from $jail to not me out via $PIF $IPF 46 skipto 10000 ip from any to any diverted # Allow remaining all outgoing traffic $IPF 110 allow all from me to any out # Allow NATed traffic to Jail. This is SNATed traffic. natd (NAT daemon) will take care of these. $IPF 150 divert natd ip from not me to any in via $PIF $IPF 160 skipto 10000 ip from any to any diverted # Allow ICMP from friendly subnet and deny the rest $IPF 165 allow icmp from 172.16.83.0/83 to me $IPF 166 deny icmp from any to any # Allow inbound ports to host services with maximum 2 concurrent connections # We will not add Jail services ports here. They are specified in natd config file. $IPF 171 allow tcp from any to $inet 4567 in via $PIF setup limit src-addr 2 $IPF 172 allow tcp from any to $inet 8080 in via $PIF setup limit src-addr 2 $IPF 173 allow tcp from any to $inet 4443 in via $PIF setup limit src-addr 2 # Log an deny the traffic $IPF 500 deny log logamount 10000 ip from any to any # This is where all diverted NAT traffic are skipped to after being processed. $IPF 10000 allow ip from any to any -----------------STOP------------- Verify your ipfw firewall is enabled in /etc/rc.conf: firewall_enable="YES" firewall_script="/usr/local/etc/myfirewall.rules" Specify ports to be redirected in natd rules file /usr/local/etc/natd.rules (More Info: http://freebsd.rogness.net/redirect.cgi?basic/nat.html) # ee /usr/local/etc/natd.rules Example Contents of file /usr/local/etc/natd.rules (Fomat: jail_ip:jail_port host_ip:host_port) -----------------START------------- redirect_port tcp 1.2.3.4:4567 4567 redirect_port tcp 1.2.3.4:80 80 redirect_port tcp 1.2.3.4:443 443 -----------------STOP------------- Enable natd service: # echo 'natd_enable="YES"' >> /etc/rc.conf # echo 'natd_interface="em0"' >> /etc/rc.conf # echo 'natd_flags="-config /usr/local/etc/natd.rules"' >> /etc/rc.conf Test to verify both host and jail services are accessible. If you wish to ping from within jail run this command: echo security.jail.allow_raw_sockets=1 >> /etc/sysctl.conf
Monday, March 15, 2010
qwebirc - installation and configuration with cgiirc enabled
==Installation== =Debian/Ubuntu= # apt-get install mercurial # apt-get install python-twisted-names # apt-get install python-twisted-mail # apt-get install python-twisted-web # apt-get install python-twisted-words =FreeBSD/PCBSD= # cd /usr/ports/devel/mercurial && make install clean # cd /usr/ports/www/py-twistedWeb && make install clean # cd /usr/ports/dns/py-twistedNames && make install clean # cd /usr/ports/mail/py-twistedMail && make install clean # cd /usr/ports/net-im/py-twistedWords && make install clean $ cd ~/ $ hg clone http://hg.qwebirc.org qwebirc $ cd qwebirc $ hg up -C stable $ hg pull $ hg up ==Configuration== Create config.py with following content: File: config.py -------------------------------- from qwebirc.config_options import * IRCSERVER, IRCPORT = "irc.myserver.com", 6667 REALNAME = "http://moo.com/" IDENT = "webchat" WEBIRC_MODE = None BASE_URL = "http://foo.foo.org/" NETWORK_NAME = "FooNet" APP_TITLE = NETWORK_NAME + " Web IRC" FEEDBACK_FROM = "moo@moo.com" FEEDBACK_TO = "moo@moo.com" FEEDBACK_SMTP_HOST, FEEDBACK_SMTP_PORT = "127.0.0.1", 25 ADMIN_ENGINE_HOSTS = ["127.0.0.1"] UPDATE_FREQ = 0.5 MAXBUFLEN = 100000 MAXSUBSCRIPTIONS = 1 MAXLINELEN = 600 DNS_TIMEOUT = 5 HTTP_AJAX_REQUEST_TIMEOUT = 30 HTTP_REQUEST_TIMEOUT = 5 HMACKEY = "mrmoo" HMACTEMPORAL = 30 AUTHGATEDOMAIN = "webchat_test" QTICKETKEY = "boo" AUTH_SERVICE = "Q!TheQBot@CServe.quakenet.org" AUTH_OK_REGEX = "^You are now logged in as [^ ]+\\.$" import dummyauthgate as AUTHGATEPROVIDER -----End of File---------------- Modify default values like IRCSERVER, REALNAME, IDENT, BASE_URL, NETWORK_NAME,
FEEDBACK_FROM, FEEDBACK_TO, AUTHGATEDOMAIN, QTICKETKEY To start server (with default port 9090 and all IPs): cd ~/qwebirc ./run.py To start server on port 7777: cd ~/qwebirc ./run -p 7777 To start server on port 7777 and specific IP 1.2.3.4: cd ~/qwebirc ./run -i 1.2.3.4 -p 7777 ==Enabling CGIIRC== Modify the value of WEBIRC_MODE in config.py and add WEBIRC_PASSWORD as shown below: File: config.py (partial) ------------------------- WEBIRC_MODE = "webirc" WEBIRC_PASSWORD = "some-secret-password" ------End of File-------- If you are using UnrealIRCD add these lines in unrealircd.conf: File: unrealircd.conf (partial) ------------------------------- cgiirc { type webirc; hostname "irc.myserver.com"; password "some-secret-password"; }; ------End of File--------------- For other IRC Clients, use this link for reference: Enable Mibbit on Your IRC Server
